With the explosion in Internet 40, as shown in FIG. 1 access and usage individuals have discovered and become dependent upon the availability of large amounts of information as well and the ability to buy and sell goods and services. As shown in FIG. 1, a typical Internet user would have a browser installed in his personal computer (PC) 10 or server 20 such as Internet Explorer™ or Netscape™. Using this browser, the user would access an Internet service provider, such as America-On-Line (AOL™) (not shown), via a modem over the local public switched telephone network (PSTN), a cable network or satellite link. Once logged onto an Internet web server (web server) 30, the user may utilize one of the many search engines, such as Yahoo™ or Lycos™, to specify search terms. The user could also log onto a web server 30 and view the products or services available for sale or receive the information desired.
FIG. 2 illustrates the software and hardware involved for communications between a server 20 and a web server 30. Sewer 20 would contain application software 200, such as, but not limited to, a browser, communicating to a network protocol 210, such as, but not limited to, TCP/IP (Transmission Control Protocol/Internet Protocol) or UDP (User Datagram Protocol), which in turn would communicate to a network interface 220. The network interface 220 may be, but is not limited to, any type of serial or parallel modern. The network interface 220 would communicate to the network/Internet 40 which in turn would interface to web server 30. Again, within web server 30, a network interface 230, such as a serial or parallel modem, would communicate to the network protocol 240, such as, but not limited to, TCP/IP or UDP. Thereafter, communications would be established with an application 250 which may be a search engine or any other type of web application.
However, the Internet 40 has proven to be prone to “hackers” which develop software that infiltrates computers connected to the Internet 40 or software that enables distributed denial of service (DDoS) attacks on web servers 30. The most common form of the DDoS attack is the flood attack, using many remotely controlled software applications also known as Zombie Applications (Zombies) 300, as shown in FIG. 3. Zombie applications 300 look and act to server 20 like any other software application 200, process, or macro. Therefore, most users would not recognize the presence of a zombie 300 embedded in their server 20 or personal computer (PC) 10. Often the zombie applications 300 would enter a server 20 or PC 10 via email. The server 20, PC 10 or web server 30 may also be corrupted with a zombie 300 by some method such as via a false program, called a Trojan Horse, or a virus obtained via file sharing.
During the most recent widely published DDoS attacks, there were estimates of thousands of zombies 300 all sending small packets to a web server 30. Unable to tell the real traffic from the DDoS attack, the web server 30 collapses under all the traffic. Virus scanners have proven ineffective in stopping DDoS attacks since the Virus scanners can only fix the trouble after the characteristic signature of a zombie 300 is known.
Still referring to FIG. 3, once a “hacker” has embedded the zombie 300 in the servers 20 all that is needed to initiate the DDoS attack is a denial of service initiator 310. This denial of service initiator 310 may be a message from the “hacker” or a specific time of day. It should be noted that FIG. 3 is identical to FIG. 2 wit the exception of the zombie 300 and the denial of service initiator 310. This allows a large and important web server to be easily disabled from use, costing, in many cases, millions of dollars in lost revenue.
Therefore, a system, method, and computer program is needed that will detect the presence of zombie applications and block them from launching a massive number of packets for delivery to a web server. This system, method, and computer program must detect and block the zombie packets before they can cause any denial of service to a web server. Further, this system, method, and computer program must be compatible with existing communications protocols involved in packet switched networks. Further, the system, method, and computer program must be easy to install and not interfere with normal packer transmission and reception.